Destination-nat Rule Without inbound-interface

maimun.najib · May 31, 2021, 3:21am

Hi,

Can I create dstnat rules without specifying the inbound-interface?

set nat destination rule 99 destination address '8.8.8.8'
set nat destination rule 99 destination port '53'
set nat destination rule 99 inbound-interface 'eth0.110'
set nat destination rule 99 protocol 'udp'
set nat destination rule 99 translation address 'xxx.xxx.24.10'
set nat destination rule 99 translation port '53'

I have a need to redirect all opendns traffic to our dns, but the problem is when there are too many users pppoe / interface, so I have to create rules one by one for each interface.

for example on a mikrotik router you can create rules without having to specify a specific interface
ip firwall nat add action=redirect chain=dstnat dst-address-list=opendns dst-port=53 protocol=udp src-address-list=!bypass-open-dns to-ports=53

Thanks.

Viacheslav · May 31, 2021, 4:54am

It is necessary to declare interface or NOT interface, for example not wan interface.

maimun.najib · May 31, 2021, 4:59am

Can it be made with interface-list or address-list only? because if there are 1000 PPPoe users then 1000 rules are needed too.

[image]

Viacheslav · May 31, 2021, 5:03am

As I mentioned above you can use NOT interface, just one rule

inbound-interface '!eth2'
Where eth2 for example wan port. So it will be work for all interfaces except eth2

arif.rahmadi · October 20, 2021, 11:19am

I cant use this option, with erro log, running on rc.6

WARNING: rule “100” interface “!eth4.1000” does not exist on this system

Interface is already up
show interfaces ethernet eth4.1000
eth4.1000@eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

configuration commands
set nat destination rule 100 destination address ‘8.8.8.8’
set nat destination rule 100 destination port ‘53’
set nat destination rule 100 inbound-interface ‘!eth4.1000’
set nat destination rule 100 protocol ‘udp’
set nat destination rule 100 translation address ‘x.x.x.10’
set nat destination rule 100 translation port ‘53’

n.fort · October 20, 2021, 12:00pm

Can you share your commit output?
If it says warning, config should be committed properly, and this is just a warning message.
Please, share commit result. Also, with “sudo iptables -S”, you may look for that entry in iptables.

RyVolodya · October 21, 2021, 1:26pm

Hello @arif.rahmadi

You can try this command:

set nat destination rule 100 inbound-interface ‘any’

Zamp · October 21, 2021, 7:53pm

It would be good to add ‘any’ into the inbound-interface’s choice list.
And into the manual examples.

wvanos · April 17, 2024, 11:28am

This warning still seems to be present when using !. However, I’m not sure if it still works with nft.

It sets it in the nft chain, but I can’t find any documentation of NFT supporting “!”.

		oifname "!eth2" ip saddr 10.0.8.0/24 counter packets 0 bytes 0 snat to x.x.x.x comment "SRC-NAT-1"

Nevermind, supported was introduced in a (recent) commit.